Good writeup. The gap you're describing: skill installer copies the whole directory, test files run outside the agent context, so the agent's credential store becomes the actual attack surface. Scanners focus on what the agent does at runtime, but if the test file executes with the same environment, it can reach whatever keys were loaded.

The fix most people overlook: the agent shouldn't hold long-lived keys at all. Short-lived, scoped credentials mean even if a bundled test file runs and tries to exfiltrate something, it gets a credential that expires in minutes. We cover the pattern here: https://apistronghold.com

Been looking at the agent skills security space lately. All the research so far focuses on what the agent does with SKILL.md at runtime, prompt injection, or malicious commands. But the installer copies the entire skill directory into your repo. That means a bundled *.test.ts executes on npm test with no agent involvement and none of the current scanners flag it. Wrote it up here, curious if anyone has seen this angle covered before.